J2EE Agents and an Online Auction Application

Consider a web-based application that facilitates the auction of various
kinds of merchandise between interested parties. A simple implementation for
such an application will require the users to be in one of three abstract
roles, namely Buyer, Seller, or Administrator. Buyers in this application
will have access to web pages that display the listed auction items, whereas
the Sellers may have access to web pages that allow them to list their merchandise
for new auctions. The Administrators may have access to yet another set of
web pages that allow them to finalize or cancel existing auctions in whatever
state they may be in. Using the deployment descriptors, the application developer
can express this intent by protecting such components using abstract security
role names. These abstract role names in turn can be mapped to real principals
in a J2EE agent. For example, the role Buyer may be mapped to an Access Manager role
called Employee, the role Seller to an Access Manager role called Vendor, and
the role Administrator to an Access Manager role called Admin. The abstract
role names used by the application developer can be used to protect the necessary
web pages and any specialized Enterprise JavaBeans (EJB) components from unauthorized
access by using declarative as well as programmatic security. Once this application
is deployed and configured, the agent will ensure that only the authorized
personnel get access to these protected resources. For example, access to
the pages meant for Sellers to list their merchandise for auctions will be
granted to user Deepak only if this user belongs to the Access Manager role
called Vendor. Similarly, users Scott and Gina can place bids on this listed
item only if they belong to the role called Buyer. Once the auction period
expires, the auction can be finalized by user Krishnendu only if he is in
the role called Admin.